Weak credentials and overly permissive privileges get leveraged in attacks all the time. Here’s what to do about it.
Today, one of the most significant sources of exposure are stolen or misused identity credentials. As a frequent flyer in today’s attacks, this issue is consistently at the top of any CISO’s priority lists for 2023.
Identity-based attacks comprise some of the most effective, most destructive cyberattacks out there. The issue touches the core of identity, credentials, and access management – who you are, how you prove it, and what you can do with it. Once a valid user’s credentials are compromised and a threat actor is masquerading as that user…the damage is done. If the attacker is careful, it’s nearly impossible to differentiate between the user’s typical behavior and that of the imposter.
According to Verizon, in 2022, the human factor was pivotal in 82% of all breaches. Identity-focused exposures are on the rise for the simple reason that they underlie some of the most successful breaches in recent years – most notably, the recent breaches at Uber and SolarWinds.
Attackers are proving ever-more adept at accessing valid credentials and using them to move laterally throughout networks undetected. What’s more, privilege misuse attacks are consistently difficult to discover. This leaves attackers plenty of time in the network to exfiltrate the data they’re looking for, as well as plant a backdoor or manipulate code – often compounding the attack’s impact.
Here at XM Cyber, we are always looking at exposures in relation to attack paths and how they can be leveraged; what we have found is that 80% of attacks path to critical assets have some exposure related to identity-based issues. To help protect your organization’s identity perimeter, here are four things you need to do yesterday:
TO DO #1 – Lock down your password strategy
Passwords have literally been around for centuries, long before computers. They’ve always worked well…as long as the rules for use are followed. It’s no different in the digital age.
Passwords in your (and every) organization are most likely frequently shared or overlapping. This means that the first step is purely educational. Develop a list of password best practices and teach your employees. Consider adopting an organizational password manager…but keep in mind that even the best of these have suffered devastating breaches.
What’s more, while unguessably-complex passwords are highly secure – they’re also impossible to remember. This leads users and admins alike to often write them down in physical or digital format – where they are easily discovered. Consider implementing a passphrase generator that allows users to generate a passphrase with 3-4 words that are inherently memorable.
TO DO #2 – Secure Your Active Directory
AD and Azure AD are critical to your productivity and uptime. So, it’s good to periodically review your AD/Azure AD security, and ensure that:
- Employees don’t have admin accounts – Since attacks usually start at endpoints, if endpoints have admin privileges, hackers get them, too. Your users usually do not need admin privileges to do their jobs. Consider simply canceling local admin privileges and let users ask if they need greater privileges.
- Everyone practices good digital hygiene – AD and Azure AD are complex environments. Over time, stale objects (like defunct groups, users that have left the company, decommissioned endpoints, etc.) stack up. These impede security efforts and expand the attack surface. Simply practicing good AD hygiene can make a huge difference.
- There are no permanent security group memberships – Once attackers get into Domain Admin, Enterprise Admin and Schema Admin security groups…they’ve got the keys to everything. That means if admins have permanent membership in these groups, a smart hacker will attack their personal accounts to get membership. To avoid this, simply make membership in security groups temporary.
TO DO #3 – Stop privilege Escalation
“Privilege creep” is a gradual build-up of unnecessary permissions in various systems. This build-up often goes unnoticed and can dramatically increase the risk and scope of cyberattacks. Aside from conducting regular user access reviews, you can avoid privilege creep by simply keeping access to an absolute minimum according to the Principle of Least Privilege (POLP). Basically, employees should only be given permissions that are absolutely necessary for their job today – no outdated permissions and no “just in case” access rights.
TO DO #4 – Implement automatic identity management
In any organization, stakeholders come and go. Roles change. People quit. These joiners, movers and leavers – alongside external stakeholders and partners – create an endlessly-shifting multidimensional matrix of identity lifecycles. To lower the time invested in keeping up with attestation, entitlements review and reconciliation, while dramatically raising the accuracy and efficacy of your identity regime, consider implementing an automated event-based identity management system.
The Bottom Line
To keep identities from being leveraged in attack paths, the best weapons are the simplest: awareness and education. And when combined with the right technology, the human factor is truly only as vulnerable as security stakeholders let it be.